OMEGAMON enhanced 3270 user interface security

The OMEGAMON® enhanced 3270 user interface uses the system authorization facility (SAF) interface to authorize and authenticate users. Planning for security includes deciding who requires access to the OMEGAMON enhanced 3270 user interface, what information they may view, and what Take Action commands they should have permission to invoke; choosing or creating an SAF class that will contain the SAF resources; then ensuring that the required IDs are given the appropriate authority to those resources.

The existence of the SAF user ID and its validity are always checked. The enhanced 3270 user interface also runs SAF authorization checks to determine if the user has the authority to perform the following actions:

  • Log on to this instance of the user interface.
  • View the data from queries for specific types of data (attribute groups) on a specific managed system
  • Transmit a Take Action request to a specific managed system
  • Perform the following interface activities:
    • List users of the enhanced 3270 user interface.
    • Save a data set member.
    • Start or stop user interface tracing.
    • Start or stop internal tracing.
    • Modify (Save As) any PDS member that is named with a user ID different than that of the current user.
    • Change auto-update preferences.
    • Enter a command on the command line.
    • Create and modify a profile member name that is the same as the user's user ID.
    • Use a hub Tivoli® Enterprise Monitoring Server.
    • Configure near-term history
User permissions and the amount of security that is imposed are assigned by site administrators. Authorization works as follows:
  • If no SAF security class is supplied (value for RTE_SECURITY_CLASS is missing or blank), users may log on to the OMEGAMON enhanced 3270 user interface, may access data through queries, but may not issue Take Action commands.
  • If a SAF security class is supplied, but the class is not defined and active in SAF, no one may log on to the OMEGAMON enhanced 3270 user interface.
  • If a SAF security class is supplied, and is defined and active in SAF, but no logon profile is defined, no one may log on to the OMEGAMON enhanced 3270 user interface.
  • If a user is able to log on, and a different security class than the one used for logon is used for queries or for Take Action commands (but is not activated or resources are not defined in that security class), everyone can view data for any managed system and perform other commands and activities, but all Take Action commands are denied.
  • If a security class name is configured, resource profiles must be defined to control log on, data access, and Take Actions, and users must be given access to those profiles.
Before security is configured in the environment by providing a resource class name, a security administrator must complete the following setup tasks:
  1. Define an SAF general resource class.
  2. Define logon profiles to control access to the enhanced 3270 user interface.
  3. Define Take Action profiles to control access to enhanced 3270 user interface data actions.
  4. Define Query profiles to control access to OMEGAMON enhanced 3270 user interface data sources.
  5. Define profiles to control permissions to additional activities performed using the enhanced 3270 user interface.
  6. Permit access to the profiles by appropriate personnel.
See Enable security for the OMEGAMON enhanced 3270 user interface for information about how to configure security resource profiles.

At a minimum, update the security settings to secure the Take Action function. Failure to correctly secure this powerful function of the OMEGAMON enhanced 3270 user interface might give all users full control to modify the managed system, including starting and stopping applications.

Note: The following activities are separately secured by the Data Facility Storage Management System (DFSMS):
  • Display a member list for a data set
  • Browse the contents of a data set member
  • Save a data set member